Architectures such as that provided by Universal Plug and Play (UPnP™) define architectures for the network connectivity of intelligent appliances, wireless devices, and PCs of all form factors. The goal of UPnP™ technology is to provide easy-to-use, flexible, standards-based connectivity for ad-hoc or unmanaged networks whether in a home, in a small business, or in public spaces. In support of this goal, UPnP™ supports zero-configuration, “invisible” networking, and the automatic discovery of devices from a wide range of manufacturers. As a result, a device can dynamically join a network, obtain an IP address, convey its capabilities to the network, and determine the presence and capabilities of other devices.
UPnP™ is more particularly an open networking architecture that consists of services, devices, and control points. Control points are essentially software applications and are the active components of the UPnP™ architecture. Devices are physical or logical entities, enumerated via simple eXtensible Markup Language (XML) descriptions and containing Application Programming Interfaces (APIs) referred to as services. Physical devices may host multiple logical devices, and each device may host multiple services. Services are groups of states and actions. For example, a light switch has an “on” state and an “off” state. An action allows the network to determine the state of the switch or to change the state of the switch. Services typically reside in devices.
One of the primary concerns with emerging connectivity architectures is that of security. In this regard, the basic UPnP™ protocol does not include security. One of the message formats supported by UPnP™, the Simple Service Discovery Protocol (SSDP), provides for the discovery of devices on the network and is difficult to secure. Another supported message format, the General Event Notification Architecture (GENA), provides for subscribing to event reports and for the publication of those events. GENA is secured by controlling subscription to events and encrypting the events. A further supported message format, the Simple Object Access Protocol (SOAP), provides for control of the network devices through remote procedure calls between control points and devices. SOAP is secured by allowing only authorized control points to invoke any secured action within a device. In brief, SOAP is secured by allowing only authorized control points to invoke any secured action within a device. This is accomplished by an Access Control List (ACL) in each secured device, each of the entries of which lists a control point unique ID, a name of a group of control points, or the universal group “<any/>.” The ACL entries also specify what that control point or group is allowed to do on that device.
The UPnP™ architecture includes a Device Security Service that provides the services necessary for strong authentication, authorization, replay prevention, and privacy of UPnP™ SOAP actions. Under this architecture, a device enforces its own access control, but its access control policy is established and maintained by an administrative application called a Security Console. The UPnP™ Security Console Service edits the ACL of a secured UPnP™ device and controls other security functions of that device. Thus, UPnP™ Security is provided by a pair of services, Device Security and Security Console. Device Security implements access control for itself and for other services in the same device. A primary function of the Security Console is to enable a user to select from physically accessible devices and control points external to the device.
The Security Console is a combination of a device and control point that can be a separate component or part of some other component. Its purpose is to take security ownership of devices and then to authorize control points (or other Security Consoles) to have access to devices over which the Security Console has control. A control point does not need to be exclusive about which Security Console it advertises itself to. The control point is the beneficiary of grants of authority and all decision making is done by the Security Console. The situation, however, is reversed for devices. A device has the resources (SOAP Actions) to which access must be restricted. The Security Console, by editing the device's ACL, tells the device which control points to obey. Therefore, the device should be very selective in determining to which Security Console the device associates.
Based on the generic ownership protocol defined by UPnP™ Security, the Security Console can take ownership of a device only if the Security Console knows the device's secret password and the device is not already owned. Once a device is owned, a Security Console that owns it can grant co-ownership to another Security Console or revoke it, but more importantly, a Security Console that owns a device can completely re-write the device's ACL.
Although UPnP™ Security provides adequate security for supported devices, it is always desirable to improve upon existing techniques.